The loop at line 1104 doesn't check that the packet fits in the output buffer. Maybe that was caused by confusion about how the bitstream writer works - the code gives the output buffer size to init_put_bits(), but the writer will just ignore that.